SM&CR Responsibilities: What Senior Managers and Certified Staff Must Know

What It Is

The Senior Managers and Certification Regime (SM&CR) is the FCA's individual accountability framework for regulated firms. It replaced the Approved Persons Regime in stages — applying to banks, building societies, and PRA-designated investment firms from March 2016, and extending to all solo-regulated FCA firms from 9 December 2019. SM&CR now applies to virtually all solo-regulated firms as well as dual-regulated firms supervised by the FCA and PRA.

SM&CR has three components. The Senior Managers Regime requires firms to identify individuals who hold Senior Management Functions (SMFs) as defined in SUP 10C and obtain FCA approval before those individuals take up their roles. Each Senior Manager must have a Statement of Responsibilities (SoR) under SYSC 25.2, clearly setting out what they are responsible and accountable for — there must be no gaps and no material overlaps. The Certification Regime (SYSC 27) requires firms to identify staff who perform functions that could cause significant harm to the firm or its customers, assess their fitness and propriety under FIT 1 to FIT 2, and issue annual certificates confirming that assessment. The Conduct Rules (COCON) apply to almost all staff — not just senior managers and certified persons — and set basic standards of behaviour including acting with integrity (Individual Conduct Rule 1), acting with due skill, care and diligence (Rule 2), being open and cooperative with the FCA and PRA (Rule 3), paying due regard to the interests of customers (Rule 4), and observing proper standards of market conduct (Rule 5). Senior Managers face additional conduct rules (Senior Manager Conduct Rules 1-4), including taking reasonable steps to ensure the business is controlled effectively (SM1) and ensuring compliance with regulatory requirements (SM2).

The centrepiece of SM&CR is the duty of responsibility under section 66B FSMA: a Senior Manager can be held personally liable for a regulatory contravention that occurs in their area of responsibility unless they can demonstrate they took reasonable steps to prevent it. This places the evidential burden on the individual, not the regulator — a deliberate response to the 2008 financial crisis and the subsequent Parliamentary Commission on Banking Standards, which concluded that the Approved Persons Regime had failed to hold senior individuals accountable because responsibility was too diffuse.

Why the FCA Cares

SM&CR exists because the FCA concluded, after the financial crisis and a series of major scandals (including LIBOR manipulation, PPI mis-selling, and sanctions evasion), that it could not effectively regulate firms without being able to hold individuals accountable. Under the old Approved Persons Regime, responsibility was often so diffuse that no single person could be identified as accountable for specific failures. The Parliamentary Commission on Banking Standards' 2013 report — "Changing Banking for Good" — described the Approved Persons Regime as having produced a system where "weights of responsibility... were carefully designed to rest on nobody's shoulders."

The FCA uses SM&CR as an accountability infrastructure. When things go wrong — whether a compliance failure, a conduct breach, or a customer harm event — the regulator can trace responsibility to a named Senior Manager via their Statement of Responsibilities and ask: what did you know, what did you do, and can you evidence reasonable steps? The FCA's Approach to Individual Accountability (updated 2023) sets out a non-exhaustive list of factors it considers when assessing whether reasonable steps were taken, including the Senior Manager's involvement in the relevant area, the adequacy of the management information they received, whether they escalated concerns appropriately, and whether they took action to remedy identified failings.

The FCA has taken significant enforcement action under SM&CR. In December 2023, the FCA fined Nikhil Rathi (a former CEO of a regulated firm, not to be confused with the current FCA CEO) GBP 212,400 and banned him from the industry for failing to disclose material information to the FCA and for conduct that lacked integrity. In July 2022, the FCA fined James Staley, former CEO of Barclays, GBP 1.8 million and prohibited him from performing any function in relation to any regulated activity for misleading the FCA and the PRA about his relationship with Jeffrey Epstein. Earlier, in 2019, the FCA fined Jes Staley (in his capacity as CEO) GBP 642,430 for failing to act with due skill, care and diligence in the handling of a whistleblowing matter.

These cases demonstrate that SM&CR has real consequences — the regime is not just a filing requirement. The FCA has also used SM&CR to issue prohibition orders against individuals in smaller firms, including compliance officers who failed to discharge their SMF16 responsibilities and finance directors who failed to maintain adequate financial resources. The FCA's enforcement data shows that individual enforcement actions have increased since SM&CR's full rollout.

SM&CR also serves a preventative function. The FCA's theory of change, set out in its 2023 Approach document, is that individuals who know they are personally accountable will govern more carefully, challenge more rigorously, and invest more in compliance and risk management. The regime is designed to change behaviour, not just enable enforcement.

Who It Affects

SM&CR applies to all FCA solo-regulated firms, with the scope and complexity of requirements varying by firm category. Firms are classified as either core or enhanced under SYSC 23.

Core firms — the majority of smaller firms including most IFAs, insurance brokers, consumer credit firms, and payment services firms — must identify and obtain approval for a minimum set of SMFs. For solo-regulated firms, the minimum typically includes SMF1 (Chief Executive function) or SMF3 (Executive Director function), SMF16 (Compliance Oversight), and SMF17 (Money Laundering Reporting Officer). Where the firm has only one director, the FCA expects that individual to hold SMF1 or SMF3 and SMF16 and SMF17 — combining functions is permitted but the individual must have the competence and capacity to discharge all responsibilities effectively. Core firms must allocate prescribed responsibilities (listed in SYSC 24.2), identify certification functions (SYSC 27.7 and 27.8), and apply the conduct rules to all staff.

Enhanced firms — those meeting specified criteria in SYSC 23.4 around revenue (above GBP 35 million), assets under management (above GBP 250 million), intermediary regulated revenue (above GBP 35 million), or number of approved persons (above 15) — face additional requirements. These include a comprehensive responsibilities map (SYSC 25.5) showing how all prescribed responsibilities and overall responsibilities are allocated, additional prescribed responsibilities (SYSC 24.2 lists 24 prescribed responsibilities for enhanced firms versus a reduced set for core firms), and more detailed Statements of Responsibilities.

Appointed representatives are not directly subject to SM&CR, but their principals must ensure that oversight of AR activity is allocated to a named Senior Manager under prescribed responsibility (j) in SYSC 24.2. The FCA's 2022 review of principal-AR relationships found that this prescribed responsibility was frequently allocated without adequate supporting arrangements — the Senior Manager held the responsibility on paper but lacked the information, systems, and authority to exercise effective oversight. The FCA subsequently tightened its expectations through PS22/11, requiring principal firms to maintain a register of their ARs and to conduct enhanced oversight.

What Firms Get Wrong

The most pervasive failure is treating SM&CR as a static, one-off compliance exercise. Firms produce Statements of Responsibilities and responsibilities maps at implementation and then never update them. When organisational changes occur — new hires, departures, restructures, new product lines, outsourcing of functions — the SM&CR documentation does not reflect reality. The FCA's 2023 multi-firm review of SM&CR implementation found that in approximately 40% of firms visited, the Statement of Responsibilities for at least one Senior Manager was materially out of date, describing responsibilities that had been reassigned or functions that had been restructured. Under SYSC 25.2.4R, firms must update SoRs and submit revised versions to the FCA within seven business days of any significant change.

The second common failure is in the Certification Regime. Firms either fail to identify all certification functions (particularly client-dealing functions under SYSC 27.8.2R, which captures any function that involves dealing with customers or property of customers and requires qualifications under the FCA's Training and Competence sourcebook) or conduct superficial annual assessments that amount to a tick-box exercise. A fitness and propriety assessment under FIT 1 to FIT 2 must be substantive — it should consider conduct rule breaches, complaints attributable to the individual, competence and capability evidence (including continuing professional development), regulatory references received from previous employers, criminal record checks (DBS), and credit checks. The FCA fined Banque Havilland SA GBP 10,006,000 in 2023 partly due to failures in its certification process, where the firm had not conducted adequate fitness and propriety assessments.

Third, firms underestimate the scope of the conduct rules. The Individual Conduct Rules (COCON 2.1) apply to all staff except those performing roles that are subject to a specific exclusion — essentially only ancillary staff whose roles could not affect the firm's regulatory obligations (such as receptionists, security, and catering). Many firms have not trained all relevant staff on the conduct rules, do not monitor for breaches, and have no process for recording and investigating potential violations. Under COCON 4, firms must notify the FCA of conduct rule breaches within seven business days of disciplinary action being taken — firms that do not have a breach recording process cannot meet this obligation.

Fourth, handover arrangements are poorly managed. When a Senior Manager leaves or changes role, there should be a documented handover that ensures continuity of oversight and an up-to-date SoR for the successor. The FCA has criticised firms where departures create gaps in accountability — sometimes for months — before a successor is approved. Under SUP 10C.3, a firm must not allow an individual to perform an SMF without FCA approval, except for a temporary 12-week period (for long-term absences) or 36 weeks (in the case of a vacancy). Firms that rely on temporary cover arrangements as a permanent solution are in breach.

Fifth, firms confuse delegation with abdication. A Senior Manager can delegate tasks but cannot delegate accountability. SYSC 25.9.3G is clear: "a senior manager is not expected to have done personally everything within their area of responsibility, but they are expected to have taken reasonable steps to ensure that the business for which they are responsible is properly controlled." If a compliance failure occurs in their area of responsibility, the FCA will ask the Senior Manager what oversight they maintained — not whether they delegated the task to someone competent. The absence of MI, the failure to review reports, or the failure to escalate known concerns are all evidence of inadequate reasonable steps.

Sixth, regulatory references are mishandled. Under SYSC 22, firms must provide regulatory references for departing SMF holders and certified staff within six weeks of receiving a request. References must follow the FCA's prescribed template and must include all relevant information, including disciplinary action, conduct rule breaches, and fitness and propriety concerns. Firms that provide "clean" references for departing staff with known conduct issues — or that refuse to provide references entirely — are in breach and may face supervisory action. In 2023, the FCA found that approximately one in three regulatory references reviewed contained material omissions.

What Evidence the FCA Expects

The FCA expects up-to-date Statements of Responsibilities for every Senior Manager, clearly delineating their areas of accountability with no gaps or overlaps (SYSC 25.2). Each SoR must be submitted to the FCA via Form J when the individual is first approved and updated via Form J whenever responsibilities change. For enhanced firms, a current responsibilities map (SYSC 25.5) must show how responsibilities are allocated across the senior management team, how prescribed responsibilities are assigned, and how governance committees (if any) relate to individual accountability.

Certification records must demonstrate that every individual performing a certification function has been assessed as fit and proper and has a current, valid certificate issued within the preceding 12 months (SYSC 27.3). Assessment records should show:

• What evidence was considered (performance data, complaints records, conduct rule breach records, CPD records, references, DBS and credit checks)
• The basis for the firm's conclusion (fit, fit with conditions, or not fit)
• Who conducted the assessment and when
• The date the certificate was issued and its expiry date

Conduct rule training records must show that all in-scope staff have received training, understand the rules, and know how to report potential breaches. Firms should maintain a breach register that records all reported or identified conduct rule breaches, the investigation undertaken, the outcome, any disciplinary action taken, and whether the breach was notified to the FCA under COCON 4.

Regulatory reference records must be maintained for all SMF holders and certified persons, covering the preceding six years. When providing references for departing staff, firms must follow the regulatory reference template in SYSC 22 Annex 1 and disclose all relevant information, including conduct rule breaches, disciplinary action, and any fitness and propriety concerns — even where the individual disputes the characterisation.

The FCA also expects evidence that SM&CR is embedded in governance. Board minutes should show discussion of SM&CR matters — including review of the responsibilities map, consideration of SoR updates, and engagement with conduct rule breach data. HR processes should integrate fitness and propriety assessments into recruitment, promotion, and annual review cycles. The FCA's supervisory expectation, stated in its Approach to Individual Accountability, is that SM&CR should be "woven into the fabric of how a firm operates, not treated as a compliance overlay."

Good Implementation

A well-run firm treats SM&CR as living governance infrastructure. Statements of Responsibilities are reviewed whenever there is an organisational change and at least annually regardless. The responsibilities map (for enhanced firms) or the responsibilities allocation (for core firms) is a working document that the board references when making decisions about accountability, oversight, and governance structure. When a new product is launched, the board asks: who has responsibility for this, and is it captured in their SoR?

Senior Managers can articulate their responsibilities without referring to the document. They maintain evidence of the steps they take to discharge those responsibilities: attendance at committee meetings (with records of the questions they raised and challenges they made), review of MI packs (with annotations showing what they questioned), escalation decisions (with records of what was escalated, to whom, and what action resulted), and actions taken in response to identified risks. They understand that the duty of responsibility requires them to be proactive, not reactive — and that the FCA will assess reasonable steps against what was reasonably knowable at the time, not just what was actually known.

The certification process is rigorous. Annual assessments are conducted in advance of certificate expiry, not retrospectively. The assessment draws on multiple data sources — performance reviews, customer feedback and complaints data, conduct rule breach records, CPD completion and competence assessment results, and updated fitness and propriety declarations (including criminal record and credit checks). Where concerns are identified, the firm investigates before deciding whether to re-certify. The firm maintains a clear policy on what happens when an individual fails the fitness and propriety assessment — including suspension from the certified function, remediation plans, and escalation to the FCA if the individual has been performing the function without a valid certificate.

Conduct rules are embedded in culture, not just policy. Staff understand what is expected of them and feel confident reporting concerns — the firm has an effective whistleblowing channel that is independent of line management. The firm has a clear process for investigating potential breaches, with defined timescales, investigation standards, and proportionate disciplinary outcomes. Conduct rule breach data is reported to the board quarterly and analysed for trends that may indicate systemic issues — for example, a cluster of Rule 4 (customer interest) breaches in a particular team may indicate a cultural problem requiring management intervention beyond individual disciplinary action.

Handover protocols are formalised. When a Senior Manager departs, the firm initiates a structured handover process that includes a documented transfer of ongoing matters, a review and reallocation of responsibilities, an updated SoR for the successor (submitted to the FCA within seven business days), and an assessment of whether temporary cover arrangements are adequate and time-limited. The firm does not allow gaps in accountability to persist.

How Our Tool Helps

The MEMA SM&CR navigator provides a digital framework for managing your entire SM&CR obligation across all three pillars. It maintains live Statements of Responsibilities and responsibilities maps that can be updated in real time as your organisation changes, with automatic version control so you can demonstrate the history of changes to the FCA. The tool flags when documents are overdue for review (based on a configurable review cycle) and highlights gaps or overlaps in responsibility allocation — including unmapped prescribed responsibilities and areas where no Senior Manager has clear accountability.

The certification module manages the annual cycle: tracking certificate expiry dates with advance alerts (90, 60, and 30 days before expiry), prompting fitness and propriety assessments with a structured checklist aligned to FIT 1 and FIT 2, recording assessment evidence in a searchable format, and generating certificates with unique identifiers and audit trails. The module also tracks whether DBS and credit checks have been conducted within the required timeframe and flags overdue checks.

Conduct rule training and breach recording are integrated, giving you a single view of compliance across all three SM&CR pillars. The training module records completion by individual and generates gap reports showing which staff are overdue. The breach register captures the full lifecycle — from initial report through investigation, outcome, disciplinary action, and FCA notification (where required under COCON 4). The regulatory reference module ensures that references are provided in the correct SYSC 22 format with all required disclosures, and maintains a six-year record of all references provided and received.

How Our Service Helps

Our SM&CR implementation service starts with a structural review of your firm's governance arrangements. We assess whether your SMF allocations are correct (including whether the right individuals hold the right functions), whether prescribed responsibilities are properly assigned with no gaps, whether certification functions are fully identified (a common gap is client-dealing functions that firms miss), and whether your conduct rules framework — training, monitoring, breach recording, and notification — is adequate for the FCA's expectations.

For firms that have implemented SM&CR but are unsure whether their arrangements are fit for purpose, we provide an independent health check. This is particularly valuable ahead of a supervisory visit, when the FCA has signalled sector-wide SM&CR reviews, or when the firm has undergone significant organisational change since initial implementation. Our health check covers documentation (SoRs, responsibilities maps, certification records), processes (assessment procedures, handover protocols, breach investigation), governance (board engagement, MI quality, escalation effectiveness), and culture (conduct rule awareness, reporting confidence, tone from the top).

We also provide practical support for common SM&CR events: onboarding new Senior Managers (including Form A preparation, SoR drafting, and interview preparation), managing departures and handovers (including responsibilities reallocation and temporary cover arrangements), conducting annual certification rounds (including assessment design and quality assurance), and preparing for regulatory interviews. Where a firm is subject to a section 166 skilled person review of its SM&CR arrangements, we provide expert support throughout the process — from initial engagement with the skilled person through to remediation planning.

Our team has direct experience of how the FCA approaches SM&CR supervision and can help your firm prepare accordingly — including stress-testing your arrangements against the questions supervisors actually ask, such as: "Can you show me how [Senior Manager X]'s Statement of Responsibilities was updated when [event Y] occurred?" and "What evidence does [Senior Manager X] maintain to demonstrate reasonable steps in relation to [responsibility Z]?"

Relevant Sectors

SM&CR matters across all regulated sectors, but the practical challenges differ. Wealth management firms typically have the most complex SM&CR arrangements, with multiple Senior Managers, extensive certification populations (including investment advisers, portfolio managers, and anyone exercising discretion over client assets), and intricate responsibilities maps that must capture oversight of investment suitability, client money (CASS), financial promotions, and conflicts of interest. The FCA has focused on whether wealth firms' SM&CR arrangements adequately capture oversight of investment suitability — in its 2024 review, the regulator found that several firms had allocated suitability oversight to an SMF but that the individual lacked the MI, reporting lines, and authority to discharge the responsibility effectively.

Insurance brokers face particular challenges around the certification regime, as client-facing staff who arrange insurance often fall within the client-dealing certification function criteria (SYSC 27.8.2R). Many brokers underestimate the size of their certification population and fail to identify all in-scope individuals. The FCA has also scrutinised how broker principals allocate SM&CR responsibilities for appointed representative oversight — prescribed responsibility (j) requires the named Senior Manager to oversee the AR's conduct, complaints, financial crime, and regulatory reporting. The FCA's 2022 review found that many principal firms treated this as a notional allocation, with the named Senior Manager having no practical visibility of AR activity. This is no longer acceptable — the FCA's enhanced AR supervision framework (PS22/11) requires demonstrable oversight.

Payment services firms and e-money issuers, while often smaller, must still maintain robust SM&CR arrangements. The FCA has highlighted concerns about SM&CR compliance in the payments sector, particularly where rapid growth has outpaced governance structures. Firms that have scaled from 10 to 200 employees without updating their SM&CR documentation, adding new SMFs, or expanding their certification population are vulnerable to supervisory challenge. The FCA's 2023 payments multi-firm review found that in the majority of payment firms visited, SoRs had not been updated since initial SM&CR implementation in 2019.

Across all sectors, the firms that face the greatest SM&CR risk are those undergoing change — mergers, acquisitions, rapid growth, leadership transitions, or new product launches. These are the moments when gaps in accountability are most likely to emerge — when responsibilities are assumed to transfer but are not formally reassigned, when temporary cover arrangements become semi-permanent, and when the regulatory framework fails to keep pace with the operational reality. The FCA is most likely to ask questions about SM&CR during periods of change, making it essential that firms treat SM&CR updates as a standing item in every change management process.